On Wed, Jul 28, 2010 at 5:43 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > > > On 2010-07-27, at 12:34 AM, Nat Sakimura wrote: > >> I have a fundamental question. >> >> While separating signature and payload by a dot "." seems ok, >> I still have not the answer for the question "why not make everything >> into JSON and base64url it?". > > bloat from base64 encoding twice
Right. Then, what about just removing any newlines from the Magic Signature JSON representation? > >> >> BTW, some of the envelope parameters such as alg needs to be signed as >> well to thwart the algorithm replacing attack. > > would you elaborate on the attack? > It is the atack that was talked about sometime ago around XML Dsig. Basically, the attacker replaces the algorithm to a good one to a compromised one so that he can create a new signature for the tampered data. -- Nat Sakimura (=nat) http://www.sakimura.org/en/ http://twitter.com/_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
